Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 15:43
Behavioral task
behavioral1
Sample
Resource.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Resource.exe
Resource
win10v2004-20241007-en
General
-
Target
Resource.exe
-
Size
137KB
-
MD5
4f38c635b15d7f9087a758baca7c6662
-
SHA1
0cbfe507872829dc19e63436fb8e9759dfb42271
-
SHA256
0404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd
-
SHA512
dde8048dc7add02f03196438f171c52e6bd04fe099be061c6f2adcb8ed893d4e9279a823d8bd1c6d506d6f1e1857bb1ff5f5a41292e643db8aa6f025f4a8fddb
-
SSDEEP
1536:5huxXrW4Heqv3taHo8a+rIq24GPwfWUzL7SWoWicEmDA1wWu0eja5JUrsD98fp4P:5AxbB+maI8aRqhvja5arGef1G5trgE
Malware Config
Extracted
phemedrone
https://mined.to/gate.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1524 Resource.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1524 Resource.exe Token: SeDebugPrivilege 1500 taskmgr.exe Token: SeSystemProfilePrivilege 1500 taskmgr.exe Token: SeCreateGlobalPrivilege 1500 taskmgr.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe 1500 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Resource.exe"C:\Users\Admin\AppData\Local\Temp\Resource.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3380
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1500